TAG says HYPERSCAPE is being used by persistent threat groups backed by countries. Threat actors are taking emails that gather in an inbox. Google’s security research team says it has a working version of the tool and is running simulations to assess the risk level. It does seem like this is a dangerous hack, not least because it does not involve tricking victims into installing it. Instead, it is an attacker endpoint threat than can install malware on its own. Although, it does need to know the account credential or session cookies of a user before mounting a successful attack.
Attack
In other words, the attackers must log into a target account. In its blog post, Google TAG explains how HYPERSCAPE attacks once an account is breached: “It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. “After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.” HYPERSCAPE’s threat seems to be limited to Iran at the moment. However, there is nothing to currently stop the tool being used by other threat groups. Tip of the day: Though many VPN providers have their own apps, you can in many cases connect to a VPN in Windows without any third-party software. This is ideal if you have a self-hosted VPN or if you’re using a PC with restricted permissions. In our tutorial, we’re showing you how to connect to a VPN in Windows.